

# Specifying and Verifying System Properties

Wolfgang Schreiner  
[Wolfgang.Schreiner@risc.jku.at](mailto:Wolfgang.Schreiner@risc.jku.at)

Research Institute for Symbolic Computation (RISC)  
Johannes Kepler University, Linz, Austria  
<https://www.risc.jku.at>





---

- 1. The Basics of Temporal Logic**
- 2. Specifying with Linear Time Logic**
- 3. Verifying Safety Properties by Computer-Supported Proving**

# Motivation



We need a language for specifying system properties.



- A system  $S$  is a pair  $\langle I, R \rangle$ .
  - Initial states  $I$ , transition relation  $R$ .
  - More intuitive: reachability graph.
    - Starting from an initial state  $s_0$ , the system runs evolve.
- Consider the reachability graph as an infinite **computation tree**.
  - Different tree nodes may denote occurrences of the same state.
    - Each occurrence of a state has a unique predecessor in the tree.
  - Every path in this tree is infinite.
    - Every finite run  $s_0 \rightarrow \dots \rightarrow s_n$  is extended to an infinite run  $s_0 \rightarrow \dots \rightarrow s_n \rightarrow s_n \rightarrow s_n \rightarrow \dots$
- Or simply consider the graph as a **set of system runs**.
  - Same state may occur multiple times (in one or in different runs).

Temporal logic describes such trees respectively sets of system runs.

# Computation Trees versus System Runs



State Transition Graph or  
Kripke Model



Unwind State Graph to obtain Infinite Tree

Set of system runs:

$[a, b] \rightarrow c \rightarrow c \rightarrow \dots$

$[a, b] \rightarrow [b, c] \rightarrow c \rightarrow \dots$

$[a, b] \rightarrow [b, c] \rightarrow [a, b] \rightarrow \dots$

$[a, b] \rightarrow [b, c] \rightarrow [a, b] \rightarrow \dots$

$\dots$

Figure 3.1

Computation trees.

Edmund Clarke et al: "Model Checking", 1999.



# State Formula

---

Temporal logic is based on classical logic.

- A **state formula**  $F$  is evaluated on a state  $s$ .
  - Any predicate logic formula is a state formula:  
 $p(x), \neg F, F_0 \wedge F_1, F_0 \vee F_1, F_0 \Rightarrow F_1, F_0 \Leftrightarrow F_1, \forall x : F, \exists x : F$ .
  - In **propositional temporal logic** only propositional logic formulas are state formulas (no quantification):  
 $p, \neg F, F_0 \wedge F_1, F_0 \vee F_1, F_0 \Rightarrow F_1, F_0 \Leftrightarrow F_1$ .
- **Semantics:**  $s \models F$  (“ $F$  holds in state  $s$ ”).
  - Example: semantics of conjunction.
    - $(s \models F_0 \wedge F_1) \Leftrightarrow (s \models F_0) \wedge (s \models F_1)$ .
    - “ $F_0 \wedge F_1$  holds in  $s$  if and only if  $F_0$  holds in  $s$  and  $F_1$  holds in  $s$ ”.

Classical logic reasoning on individual states.



# Temporal Logic

---

Extension of classical logic to reason about multiple states.

- Temporal logic is an instance of **modal logic**.
  - Logic of “multiple worlds (situations)” that are in some way related.
  - Relationship may e.g. be a **temporal** one.
  - Amir Pnueli, 1977: temporal logic is suited to system specifications.
  - Many variants, two fundamental classes.
- **Branching Time Logic**
  - Semantics defined over **computation trees**.  
At each moment, there are multiple possible futures.
  - Prominent variant: **CTL**.  
Computation tree logic; a propositional branching time logic.
- **Linear Time Logic**
  - Semantics defined over **sets of system runs**.  
At each moment, there is only one possible future.
  - Prominent variant: **PLTL**.  
A propositional linear time logic.



# Branching Time Logic (CTL)

---

We use temporal logic to specify a system property  $F$ .

- **Core question:**  $S \models F$  (" $F$  holds in system  $S$ ").
  - System  $S = \langle I, R \rangle$ , temporal logic formula  $F$ .
- **Branching time logic:**
  - $S \models F \Leftrightarrow S, s_0 \models F$ , for every initial state  $s_0$  of  $S$ .
  - Property  $F$  must be evaluated on every pair of system  $S$  and initial state  $s_0$ .
  - Given a computation tree with root  $s_0$ ,  $F$  is evaluated on **that tree**.

CTL formulas are evaluated on computation trees.



# State Formulas

---

We have additional state formulas.

- A **state formula**  $F$  is evaluated on state  $s$  of System  $S$ .
  - Every (classical) state formula  $f$  is such a state formula.
  - Let  $P$  denote a **path formula** (later).
    - Evaluated on a **path** (state sequence)  $p = p_0 \rightarrow p_1 \rightarrow p_2 \rightarrow \dots$   
 $R(p_i, p_{i+1})$  for every  $i$ ;  $p_0$  need not be an initial state.
  - Then the following are **state formulas**:
    - A**  $P$  ("in every path  $P$ "),
    - E**  $P$  ("in some path  $P$ ").
  - **Path quantifiers: A, E.**
- **Semantics:**  $S, s \models F$  ("F holds in state  $s$  of system  $S$ ").
  - $S, s \models f \Leftrightarrow s \models f$ .
  - $S, s \models \mathbf{A} P \Leftrightarrow S, p \models P$ , for every path  $p$  of  $S$  with  $p_0 = s$ .
  - $S, s \models \mathbf{E} P \Leftrightarrow S, p \models P$ , for some path  $p$  of  $S$  with  $p_0 = s$ .



# Path Formulas

---

We have a class of formulas that are not evaluated over individual states.

- A **path formula**  $P$  is evaluated on a path  $p$  of system  $S$ .

- Let  $F$  and  $G$  denote **state formulas**.
- Then the following are **path formulas**:

$\mathbf{X} F$  ("next time  $F$ "),

$\mathbf{G} F$  ("always  $F$ "),

$\mathbf{F} F$  ("eventually  $F$ "),

$F \mathbf{U} G$  (" $F$  until  $G$ ").

- **Temporal operators:**  $\mathbf{X}, \mathbf{G}, \mathbf{F}, \mathbf{U}$ .
- **Semantics:**  $S, p \models P$  (" $P$  holds in path  $p$  of system  $S$ ").

$$S, p \models \mathbf{X} F \Leftrightarrow S, p_1 \models F.$$

$$S, p \models \mathbf{G} F \Leftrightarrow \forall i \in \mathbb{N} : S, p_i \models F.$$

$$S, p \models \mathbf{F} F \Leftrightarrow \exists i \in \mathbb{N} : S, p_i \models F.$$

$$S, p \models F \mathbf{U} G \Leftrightarrow \exists i \in \mathbb{N} : S, p_i \models G \wedge \forall j \in \mathbb{N}_i : S, p_j \models F.$$

# Path Formulas

 $F\varphi$  $G\varphi$  $X\varphi$  $\varphi \cup \psi$ 

Thomas Kropf: "Introduction to Formal Hardware Verification", 1999.

# Path Quantifiers and Temporal Operators



$M, s_0 \models \mathbf{EF} g$



$M, s_0 \models \mathbf{AF} g$



$M, s_0 \models \mathbf{EG} g$



$M, s_0 \models \mathbf{AG} g$

Edmund Clarke et al: "Model Checking", 1999.

# Linear Time Logic (LTL)



We use temporal logic to specify a system property  $P$ .

- **Core question:**  $S \models P$  (" $P$  holds in system  $S$ ").
  - System  $S = \langle I, R \rangle$ , temporal logic formula  $P$ .
- **Linear time logic:**
  - $S \models P \Leftrightarrow r \models P$ , for every run  $r$  of  $S$ .
  - Property  $P$  must be evaluated on every run  $r$  of  $S$ .
  - Given a computation tree with root  $s_0$ ,  $P$  is evaluated on **every path** of that tree originating in  $s_0$ .
    - If  $P$  holds for every path,  $P$  holds on  $S$ .

LTL formulas are evaluated on system runs.

# Formulas

---



No path quantifiers; all formulas are path formulas.

- Every **formula** is evaluated on a path  $p$ .
  - Also every state formula  $f$  of classical logic (see below).
  - Let  $F$  and  $G$  denote formulas.
  - Then also the following are formulas:

**X**  $F$  ("next time  $F$ "), often written  $\bigcirc F$ ,

**G**  $F$  ("always  $F$ "), often written  $\Box F$ ,

**F**  $F$  ("eventually  $F$ "), often written  $\Diamond F$ ,

$F$  **U**  $G$  (" $F$  until  $G$ ").

- **Semantics:**  $p \models P$  (" $P$  holds in path  $p$ ").

■  $p^i := \langle p_i, p_{i+1}, \dots \rangle$ .

$p \models f \Leftrightarrow p_0 \models f$ .

$p \models \mathbf{X} F \Leftrightarrow p^1 \models F$ .

$p \models \mathbf{G} F \Leftrightarrow \forall i \in \mathbb{N} : p^i \models F$ .

$p \models \mathbf{F} F \Leftrightarrow \exists i \in \mathbb{N} : p^i \models F$ .

$p \models F \mathbf{U} G \Leftrightarrow \exists i \in \mathbb{N} : p^i \models G \wedge \forall j \in \mathbb{N} : p^j \models F$ .

# Formulas



$F\varphi$



$G\varphi$



$X\varphi$



$\varphi \cup \psi$



Thomas Kropf: "Introduction to Formal Hardware Verification", 1999.



# Branching versus Linear Time Logic

---

We use temporal logic to specify a system property  $P$ .

- **Core question:**  $S \models P$  (" $P$  holds in system  $S$ ").
  - System  $S = \langle I, R \rangle$ , temporal logic formula  $P$ .
- **Branching time logic:**
  - $S \models P \Leftrightarrow S, s_0 \models P$ , for every initial state  $s_0$  of  $S$ .
  - Property  $P$  must be evaluated on every pair  $(S, s_0)$  of system  $S$  and initial state  $s_0$ .
  - Given a computation tree with root  $s_0$ ,  $P$  is evaluated on **that tree**.
- **Linear time logic:**
  - $S \models P \Leftrightarrow r \models P$ , for every run  $r$  of  $s$ .
  - Property  $P$  must be evaluated on every run  $r$  of  $S$ .
  - Given a computation tree with root  $s_0$ ,  $P$  is evaluated on **every path** of that tree originating in  $s_0$ .
    - If  $P$  holds for every path,  $P$  holds on  $S$ .

# Branching versus Linear Time Logic



Fig. 2.4. Two automata, indistinguishable for PLTL

B. Berard et al: "Systems and Software Verification", 2001.

- **Linear time logic:** both systems have the same runs.
  - Thus every formula has same truth value in both systems.
- **Branching time logic:** the systems have different computation trees.
  - Take formula  $\mathbf{AX}(\mathbf{EX} Q \wedge \mathbf{EX} \neg Q)$ .
  - True for left system, false for right system.

The two variants of temporal logic have different expressive power.

# Branching versus Linear Time Logic



Is one temporal logic variant more expressive than the other one?

- CTL formula:  $\mathbf{AG}(\mathbf{EF} F)$ .
  - "In every run, it is at any time still **possible** that later  $F$  will hold".
  - Property cannot be expressed by **any** LTL logic formula.
- LTL formula:  $\diamond\Box F$  (i.e.  $\mathbf{FG} F$ ).
  - "In every run, there is a moment from which on  $F$  holds forever.". .
  - Naive translation  $\mathbf{A}\mathbf{FG} F$  is **not** a CTL formula.
    - $\mathbf{G} F$  is a path formula, but  $\mathbf{F}$  expects a state formula!
  - Translation  $\mathbf{AFAG} F$  expresses a **stronger** property (see next page).
  - Property cannot be expressed by **any** CTL formula.

None of the two variants is strictly more expressive than the other one; no variant can express every system property.



Fig. 4-8. Expressiveness of CTL\*, CTL+, CTL and LTL

Thomas Kropf: "Introduction to Formal Hardware Verification", 1999.



# Branching versus Linear Time Logic

Proof that **AFAG F** (CTL) is different from  $\Diamond\Box F$  (LTL).



**AFAG F**  $\Leftrightarrow$  false



$\Diamond\Box F$   $\Leftrightarrow$  true

In every run, there is a moment when it is guaranteed that from now on F holds forever.

In every run, there is a moment from which on F holds forever.



---

1. The Basics of Temporal Logic
2. Specifying with Linear Time Logic
3. Verifying Safety Properties by Computer-Supported Proving

# Linear Time Logic

---



Why using linear time logic (LTL) for system specifications?

- LTL has many **advantages**:
  - LTL formulas are **easier to understand**.
    - Reasoning about computation paths, not computation trees.
    - No explicit path quantifiers used.
  - LTL can express most interesting system properties.
    - Invariance, guarantee, response, ... (see later).
  - LTL can express **fairness constraints** (see later).
    - CTL cannot do this.
    - But CTL can express that a state is reachable (which LTL cannot).
- LTL has also some **disadvantages**:
  - LTL is strictly less expressive than other specification languages.
    - CTL\* or  $\mu$ -calculus.
  - Asymptotic complexity of model checking is higher.
    - LTL: exponential in size of formula; CTL: linear in size of formula.
    - In practice the **number of states** dominates the checking time.



# Frequently Used LTL Patterns

---

In practice, most temporal formulas are instances of particular patterns.

| Pattern                                   | Pronounced                                              | Name       |
|-------------------------------------------|---------------------------------------------------------|------------|
| $\square F$                               | always $F$                                              | invariance |
| $\diamond F$                              | eventually $F$                                          | guarantee  |
| $\square \diamond F$                      | $F$ holds infinitely often                              | recurrence |
| $\diamond \square F$                      | eventually $F$ holds permanently                        | stability  |
| $\square(F \Rightarrow \diamond G)$       | always, if $F$ holds, then<br>eventually $G$ holds      | response   |
| $\square(F \Rightarrow (G \mathbf{U} H))$ | always, if $F$ holds, then<br>$G$ holds until $H$ holds | precedence |

Typically, there are at most two levels of nesting of temporal operators.

# Examples



- **Mutual exclusion:**  $\square \neg (pc_1 = C \wedge pc_2 = C)$ .
  - Alternatively:  $\neg \diamond (pc_1 = C \wedge pc_2 = C)$ .
  - Never both components are simultaneously in the critical region.
- **No starvation:**  $\forall i : \square (pc_i = W \Rightarrow \diamond pc_i = R)$ .
  - Always, if component  $i$  waits for a response, it eventually receives it.
- **No deadlock:**  $\square \neg \forall i : pc_i = W$ .
  - Never all components are simultaneously in a wait state  $W$ .
- **Precedence:**  $\forall i : \square (pc_i \neq C \Rightarrow (pc_i \neq C \mathbf{U} lock = i))$ .
  - Always, if component  $i$  is out of the critical region, it stays out until it receives the shared lock variable (which it eventually does).
- **Partial correctness:**  $\square (pc = L \Rightarrow C)$ .
  - Always if the program reaches line  $L$ , the condition  $C$  holds.
- **Termination:**  $\forall i : \diamond (pc_i = T)$ .
  - Every component eventually terminates.



# Example

If event  $a$  occurs, then  $b$  must occur before  $c$  can occur (a run  $\dots, a, (\neg b)^*, c, \dots$  is illegal).

## ■ First idea (wrong)

$$a \Rightarrow \dots$$

- Every run  $d, \dots$  becomes legal.

## ■ Next idea (correct)

$$\square(a \Rightarrow \dots)$$

## ■ First attempt (wrong)

$$\square(a \Rightarrow (b \mathbf{U} c))$$

- Run  $a, b, \neg b, c, \dots$  is illegal.

## ■ Second attempt (better)

$$\square(a \Rightarrow (\neg c \mathbf{U} b))$$

- Run  $a, \neg c, \neg c, \neg c, \dots$  is illegal.

## ■ Third attempt (correct)

$$\square(a \Rightarrow ((\square \neg c) \vee (\neg c \mathbf{U} b)))$$

Specifier has to think in terms of allowed/prohibited sequences.



# Temporal Rules

---

Temporal operators obey a number of fairly intuitive rules.

- Extraction laws:

- $\Box F \Leftrightarrow F \wedge \Box \Box F.$
- $\Diamond F \Leftrightarrow F \vee \Box \Diamond F.$
- $F \mathbf{U} G \Leftrightarrow G \vee (F \wedge \Box (F \mathbf{U} G)).$

- Negation laws:

- $\neg \Box F \Leftrightarrow \Diamond \neg F.$
- $\neg \Diamond F \Leftrightarrow \Box \neg F.$
- $\neg (F \mathbf{U} G) \Leftrightarrow ((\neg G) \mathbf{U} (\neg F \wedge \neg G)) \vee \neg \Diamond G.$

- Distributivity laws:

- $\Box (F \wedge G) \Leftrightarrow (\Box F) \wedge (\Box G).$
- $\Diamond (F \vee G) \Leftrightarrow (\Diamond F) \vee (\Diamond G).$
- $(F \wedge G) \mathbf{U} H \Leftrightarrow (F \mathbf{U} H) \wedge (G \mathbf{U} H).$
- $F \mathbf{U} (G \vee H) \Leftrightarrow (F \mathbf{U} G) \vee (F \mathbf{U} H).$
- $\Box \Diamond (F \vee G) \Leftrightarrow (\Box \Diamond F) \vee (\Box \Diamond G).$
- $\Diamond \Box (F \wedge G) \Leftrightarrow (\Diamond \Box F) \wedge (\Diamond \Box G).$



# Classes of System Properties

---

There exists two important classes of system properties.

## ■ Safety Properties:

- A safety property is a property such that, if it is violated by a run, it is already violated by some **finite prefix** of the run.
  - This finite prefix cannot be extended in any way to a complete run satisfying the property.
- Example:  $\Box F$  (with state property  $F$ ).
  - The violating run  $F \rightarrow F \rightarrow \neg F \rightarrow \dots$  has the prefix  $F \rightarrow F \rightarrow \neg F$  that cannot be extended in any way to a run satisfying  $\Box F$ .

## ■ Liveness Properties:

- A liveness property is a property such that every finite prefix can be extended to a complete run satisfying this property.
  - Only a **complete run itself** can violate that property.
- Example:  $\Diamond F$  (with state property  $F$ ).
  - Any finite prefix  $p$  can be extended to a run  $p \rightarrow F \rightarrow \dots$  which satisfies  $\Diamond F$ .



# System Properties

---

Not every system property is itself a safety property or a liveness property.

- Example:  $P : \Leftrightarrow (\square A) \wedge (\diamond B)$  (with state properties  $A$  and  $B$ )
  - Conjunction of a safety property and a liveness property.
- Take the run  $[A, \neg B] \rightarrow [A, \neg B] \rightarrow [A, \neg B] \rightarrow \dots$  violating  $P$ .
  - Any prefix  $[A, \neg B] \rightarrow \dots \rightarrow [A, \neg B]$  of this run can be extended to a run  $[A, \neg B] \rightarrow \dots \rightarrow [A, \neg B] \rightarrow [A, B] \rightarrow [A, B] \rightarrow \dots$  satisfying  $P$ .
  - Thus  $P$  is not a safety property.
- Take the finite prefix  $[\neg A, B]$ .
  - This prefix cannot be extended in any way to a run satisfying  $P$ .
  - Thus  $P$  is not a liveness property.

So is the distinction “safety” versus “liveness” really useful?.



# System Properties

---

The real importance of the distinction is stated by the following theorem.

■ **Theorem:**

Every system property  $P$  is a conjunction  $S \wedge L$  of some safety property  $S$  and some liveness property  $L$ .

- If  $L$  is “true”, then  $P$  itself is a safety property.
- If  $S$  is “true”, then  $P$  itself is a liveness property.

■ **Consequence:**

- Assume we can decompose  $P$  into appropriate  $S$  and  $L$ .
- For verifying  $M \models P$ , it then suffices to verify:
  - **Safety:**  $M \models S$ .
  - **Liveness:**  $M \models L$ .
- Different strategies for verifying safety and liveness properties.

For verification, it is important to decompose a system property in its “safety part” and its “liveness part”.

# Verifying Safety



We only consider a special case of a safety property.

- $M \models \Box F$ .
  - $F$  is a state formula (a formula without temporal operator).
  - Verify that  $F$  is an **invariant** of system  $M$ .
- $M = \langle I, R \rangle$ .
  - $I(s) : \Leftrightarrow \dots$
  - $R(s, s') : \Leftrightarrow R_0(s, s') \vee R_1(s, s') \vee \dots \vee R_{n-1}(s, s')$ .
- **Induction Proof.**
  - $\forall s : I(s) \Rightarrow F(s)$ .
    - Proof that  $F$  holds in every initial state.
  - $\forall s, s' : F(s) \wedge R(s, s') \Rightarrow F(s')$ .
    - Proof that each transition preserves  $F$ .
    - Reduces to a number of subproofs:

$$F(s) \wedge R_0(s, s') \Rightarrow F(s')$$

...

$$F(s) \wedge R_{n-1}(s, s') \Rightarrow F(s')$$

# Example



```
var x := 0
loop
  p0 : wait x = 0
  p1 : x := x + 1
  || 
  loop
    q0 : wait x = 1
    q1 : x := x - 1
```

$State = \{p_0, p_1\} \times \{q_0, q_1\} \times \mathbb{Z}$ .

$I(p, q, x) : \Leftrightarrow p = p_0 \wedge q = q_0 \wedge x = 0$ .

$R(\langle p, q, x \rangle, \langle p', q', x' \rangle) : \Leftrightarrow P_0(\dots) \vee P_1(\dots) \vee Q_0(\dots) \vee Q_1(\dots)$ .

$P_0(\langle p, q, x \rangle, \langle p', q', x' \rangle) : \Leftrightarrow p = p_0 \wedge x = 0 \wedge p' = p_1 \wedge q' = q \wedge x' = x$ .

$P_1(\langle p, q, x \rangle, \langle p', q', x' \rangle) : \Leftrightarrow p = p_1 \wedge p' = p_0 \wedge q' = q \wedge x' = x + 1$ .

$Q_0(\langle p, q, x \rangle, \langle p', q', x' \rangle) : \Leftrightarrow q = q_0 \wedge x = 1 \wedge p' = p \wedge q' = q_1 \wedge x' = x$ .

$Q_1(\langle p, q, x \rangle, \langle p', q', x' \rangle) : \Leftrightarrow q = q_1 \wedge p' = p \wedge q' = q_0 \wedge x' = x - 1$ .

Prove  $\langle I, R \rangle \models \Box(x = 0 \vee x = 1)$ .

# Inductive System Properties



The induction strategy may not work for proving  $\square F$

- **Problem:**  $F$  is not inductive.
  - $F$  is too weak to prove the induction step.
    - $F(s) \wedge R(s, s') \Rightarrow F(s')$ .
- **Solution:** find stronger invariant  $I$ .
  - If  $I \Rightarrow F$ , then  $(\square I) \Rightarrow (\square F)$ .
  - It thus suffices to prove  $\square I$ .
- **Rationale:**  $I$  may be inductive.
  - If yes,  $I$  is strong enough to prove the induction step.
    - $I(s) \wedge R(s, s') \Rightarrow I(s')$ .
  - If not, find a stronger invariant  $I'$  and try again.
- Invariant  $I$  represents additional knowledge for every proof.
  - Rather than proving  $\square P$ , prove  $\square(I \Rightarrow P)$ .

The behavior of a system is captured by its strongest invariant.

# Example

---



- Prove  $\langle I, R \rangle \models \Box(x = 0 \vee x = 1)$ .
  - Proof attempt fails.
- Prove  $\langle I, R \rangle \models \Box G$ .

$$\begin{aligned} G :&\Leftrightarrow \\ &(x = 0 \vee x = 1) \wedge \\ &(p = p_1 \Rightarrow x = 0) \wedge \\ &(q = q_1 \Rightarrow x = 1). \end{aligned}$$

- Proof works.
- $G \Rightarrow (x = 0 \vee x = 1)$  obvious.

See the proof presented in class.



# Verifying Liveness

```

var  $x := 0, y := 0$ 
loop || loop
       $x := x + 1$             $y := y + 1$ 
  
```

*State* =  $\mathbb{N} \times \mathbb{N}$ ; *Label* = {P, Q}.

$I(x, y) : \Leftrightarrow x = 0 \wedge y = 0$ .

$R(I, \langle x, y \rangle, \langle x', y' \rangle) : \Leftrightarrow$

$(I = P \wedge x' = x + 1 \wedge y' = y) \vee (I = Q \wedge x' = x \wedge y' = y + 1)$ .

- $\langle I, R \rangle \not\models \diamond x = 1$ .
  - $[x = 0, y = 0] \xrightarrow{Q} [x = 0, y = 1] \xrightarrow{Q} [x = 0, y = 2] \xrightarrow{Q} \dots$
  - This run violates (as the only one)  $\diamond x = 1$ .
  - Thus the system as a whole does not satisfy  $\diamond x = 1$ .

For verifying liveness properties, “unfair” runs have to be ruled out.

# Enabling Condition



When is a particular transition enabled for execution?

- $Enabled_R(l, s) : \Leftrightarrow \exists t : R(l, s, t)$ .
  - Labeled transition relation  $R$ , label  $l$ , state  $s$ .
  - Read: “Transition (with label)  $l$  is enabled in state  $s$  (w.r.t.  $R$ )”.
- Example (previous slide):

$$\begin{aligned} & Enabled_R(P, \langle x, y \rangle) \\ & \Leftrightarrow \exists x', y' : R(P, \langle x, y \rangle, \langle x', y' \rangle) \\ & \Leftrightarrow \exists x', y' : \\ & \quad (P = P \wedge x' = x + 1 \wedge y' = y) \vee \\ & \quad (P = Q \wedge x' = x \wedge y' = y + 1) \\ & \Leftrightarrow (\exists x', y' : P = P \wedge x' = x + 1 \wedge y' = y) \vee \\ & \quad (\exists x', y' : P = Q \wedge x' = x \wedge y' = y + 1) \\ & \Leftrightarrow \text{true} \vee \text{false} \\ & \Leftrightarrow \text{true}. \end{aligned}$$

- Transition  $P$  is always enabled.



# Weak Fairness

## ■ Weak Fairness

- A run  $s_0 \xrightarrow{l_0} s_1 \xrightarrow{l_1} s_2 \xrightarrow{l_2} \dots$  is **weakly fair** to a transition  $l$ , if
  - if transition  $l$  is eventually **permanently** enabled in the run,
  - then transition  $l$  is executed infinitely often in the run.
$$(\exists i : \forall j \geq i : \text{Enabled}_R(l, s_j)) \Rightarrow (\forall i : \exists j \geq i : l_j = l).$$
- The run in the previous example was not weakly fair to transition  $P$ .

## ■ LTL formulas may **explicitly specify** weak fairness constraints.

- Let  $E_l$  denote the enabling condition of transition  $l$ .
- Let  $X_l$  denote the predicate “transition  $l$  is executed”.
- Define  $WF_l : \Leftrightarrow (\diamond \square E_l) \Rightarrow (\square \diamond X_l)$ .

If  $l$  is eventually enabled forever, it is executed infinitely often.

- Prove  $\langle I, R \rangle \models (WF_l \Rightarrow F)$ .

Property  $F$  is only proved for runs that are weakly fair to  $l$ .

Alternatively, a model may also have weak fairness “built in”.

# Example



*State* =  $\mathbb{N} \times \mathbb{N}$ ; *Label* = {P, Q}.

$I(x, y) : \Leftrightarrow x = 0 \wedge y = 0$ .

$R(I, \langle x, y \rangle, \langle x', y' \rangle) : \Leftrightarrow$

$(I = P \wedge x' = x + 1 \wedge y' = y) \vee (I = Q \wedge x' = x \wedge y' = y + 1)$ .

- $\langle I, R \rangle \models \text{WF}_P \Rightarrow \Diamond x = 1$ .
  - $[x = 0, y = 0] \xrightarrow{Q} [x = 0, y = 1] \xrightarrow{Q} [x = 0, y = 2] \xrightarrow{Q} \dots$
  - This (only) violating run is not weakly fair to transition P.
    - P is always enabled.
    - P is never executed.

System satisfies specification if weak fairness is assumed.



# Strong Fairness

---

## ■ Strong Fairness

- A run  $s_0 \xrightarrow{l_0} s_1 \xrightarrow{l_1} s_2 \xrightarrow{l_2} \dots$  is **strongly fair** to a transition  $l$ , if

- if  $l$  is **infinitely often** enabled in the run,
  - then  $l$  is also infinitely often executed the run.

$$(\forall i : \exists j \geq i : \text{Enabled}_R(l, s_j)) \Rightarrow (\forall i : \exists j \geq i : l_j = l).$$

- If  $r$  is strongly fair to  $l$ , it is also weakly fair to  $l$  (but not vice versa).

## ■ LTL formulas may **explicitly specify** strong fairness constraints.

- Let  $E_l$  denote the enabling condition of transition  $l$ .
- Let  $X_l$  denote the predicate “transition  $l$  is executed”.
- Define  $SF_l : \Leftrightarrow (\square \diamond E_l) \Rightarrow (\square \diamond X_l)$ .

If  $l$  is enabled infinitely often, it is executed infinitely often.

- Prove  $\langle I, R \rangle \models (SF_l \Rightarrow F)$ .

Property  $F$  is only proved for runs that are strongly fair to  $l$ .

A much stronger requirement to the fairness of a system.

# Example



```
var x=0
loop
  a : x := -x
  b : choose x := 0 [] x := 1
```

$State := \{a, b\} \times \mathbb{Z}; Label = \{A, B_0, B_1\}.$

$I(p, x) \Leftrightarrow p = a \wedge x = 0.$

$R(I, \langle p, x \rangle, \langle p', x' \rangle) \Leftrightarrow$

$(I = A \wedge (p = a \wedge p' = b \wedge x' = -x)) \vee$

$(I = B_0 \wedge (p = b \wedge p' = a \wedge x' = 0)) \vee$

$(I = B_1 \wedge (p = b \wedge p' = a \wedge x' = 1)).$

■  $\langle I, R \rangle \models SF_{B_1} \Rightarrow \diamond x = 1.$

■  $[a, 0] \xrightarrow{A} [b, 0] \xrightarrow{B_0} [a, 0] \xrightarrow{A} [b, 0] \xrightarrow{B_0} [a, 0] \xrightarrow{A} \dots$

■ This (only) violating run is **not strongly fair** to  $B_1$  (but weakly fair).

■  $B_1$  is infinitely often enabled.

■  $B_1$  is never executed.

System satisfies specification if strong fairness is assumed.



# Weak versus Strong Fairness

---

In which situations is which notion of fairness appropriate?

- Process just waits to be scheduled for execution.
  - Only CPU time is required.
  - Weak fairness suffices.
- Process waits for resource that may be temporarily blocked.
  - Critical region protected by lock variable (mutex/semaphore).
  - Strong fairness is required.
- Non-deterministic choices are repeatedly made in program.
  - Simultaneous listing on multiple communication channels.
  - Strong fairness is required.

Many other notions of fairness exist.



---

1. The Basics of Temporal Logic
2. Specifying with Linear Time Logic
3. **Verifying Safety Properties by Computer-Supported Proving**



# A Bit Transmission Protocol



```
var x, y
var v := 0, r := 0, a := 0
```

S: **loop**

0 : **choose**  $x \in \{0, 1\}$

$v, r := x, 1$

1 : **wait**  $a = 1$

$r := 0$

2 : **wait**  $a = 0$

R: **loop**

0 : **wait**  $r = 1$

$y, a := v, 1$

1 : **wait**  $r = 0$

$a := 0$

Transmit a sequence of bits through a wire.

# A (Simplified) Model of the Protocol



*State* :=  $PC_1 \times PC_2 \times (\mathbb{N}_2)^5$

$I(p, q, x, y, v, r, a) : \Leftrightarrow p = q = 1 \wedge v = r = a = 0.$

$R(\langle p, q, x, y, v, r, a \rangle, \langle p', q', x', y', v', r', a' \rangle) : \Leftrightarrow$   
 $S1(\dots) \vee S2(\dots) \vee S3(\dots) \vee R1(\dots) \vee R2(\dots).$

$S1(\langle p, q, x, y, v, r, a \rangle, \langle p', q', x', y', v', r', a' \rangle) : \Leftrightarrow$   
 $p = 0 \wedge p' = 1 \wedge v' = x' \wedge r' = 1 \wedge$   
 $q' = q \wedge x' = x \wedge y' = y \wedge a' = a.$

$S2(\langle p, q, x, y, v, r, a \rangle, \langle p', q', x', y', v', r', a' \rangle) : \Leftrightarrow$   
 $p = 1 \wedge p' = 2 \wedge a = 1 \wedge r' = 0 \wedge$   
 $q' = q \wedge x' = x \wedge y' = y \wedge v' = v \wedge a' = a.$

$S3(\langle p, q, x, y, v, r, a \rangle, \langle p', q', x', y', v', r', a' \rangle) : \Leftrightarrow$   
 $p = 2 \wedge p' = 0 \wedge a = 0 \wedge$   
 $q' = q \wedge y' = y \wedge v' = v \wedge r' = r \wedge a' = a.$

$R1(\langle p, q, x, y, v, r, a \rangle, \langle p', q', x', y', v', r', a' \rangle) : \Leftrightarrow$   
 $q = 0 \wedge q' = 1 \wedge r = 1 \wedge y' = v \wedge a' = 1 \wedge$   
 $p' = p \wedge x' = x \wedge v' = v \wedge r' = r.$

$R2(\langle p, q, x, y, v, r, a \rangle, \langle p', q', x', y', v', r', a' \rangle) : \Leftrightarrow$   
 $q = 1 \wedge q' = 2 \wedge r = 0 \wedge a' = 0 \wedge$   
 $p' = p \wedge x' = x \wedge y' = y \wedge v' = v \wedge r' = r.$

# A Verification Task

---



$$\langle I, R \rangle \models \square(q = 1 \Rightarrow y = x)$$

$$\text{Invariant}(p, \dots) \Rightarrow (q = 1 \Rightarrow y = x)$$

$$I(p, \dots) \Rightarrow \text{Invariant}(p, \dots)$$

$$R(\langle p, \dots \rangle, \langle p', \dots \rangle) \wedge \text{Invariant}(p, \dots) \Rightarrow \text{Invariant}(p', \dots)$$

$$\begin{aligned} \text{Invariant}(p, q, x, y, v, r, a) :\Leftrightarrow \\ (p = 0 \Rightarrow q = 0 \wedge r = 0 \wedge a = 0) \wedge \\ (p = 1 \Rightarrow r = 1 \wedge v = x) \wedge \\ (p = 2 \Rightarrow r = 0) \wedge \\ (q = 0 \Rightarrow a = 0) \wedge \\ (q = 1 \Rightarrow (p = 1 \vee p = 2) \wedge a = 1 \wedge y = x) \end{aligned}$$

The invariant captures the essence of the protocol.



# A RISCAL Theory

```

type Bit =  $\mathbb{N}[1]$ ; type PC1 =  $\mathbb{N}[2]$ ; type PC2 =  $\mathbb{N}[1]$ ;  

pred S1(x:Bit,y:Bit,v:Bit,r:Bit,a:Bit,p:PC1,q:PC2,  

        x0:Bit,y0:Bit,v0:Bit,r0:Bit,a0:Bit,p0:PC1,q0:PC2)  $\Leftrightarrow$   

  p = 0  $\wedge$  p0 = 1  $\wedge$  v0 = x0  $\wedge$  r0 = 1  $\wedge$  // x0 arbitrary  

  q0 = q  $\wedge$  y0 = y  $\wedge$  a0 = a;  

pred S2(x:Bit,y:Bit,v:Bit,r:Bit,a:Bit,p:PC1,q:PC2,  

        x0:Bit,y0:Bit,v0:Bit,r0:Bit,a0:Bit,p0:PC1,q0:PC2)  $\Leftrightarrow$   

  p = 1  $\wedge$  p0 = 2  $\wedge$  a = 1  $\wedge$  r0 = 0  $\wedge$   

  q0 = q  $\wedge$  x0 = x  $\wedge$  y0 = y  $\wedge$  v0 = v  $\wedge$  a0 = a;  

pred S3(x:Bit,y:Bit,v:Bit,r:Bit,a:Bit,p:PC1,q:PC2,  

        x0:Bit,y0:Bit,v0:Bit,r0:Bit,a0:Bit,p0:PC1,q0:PC2)  $\Leftrightarrow$   

  p = 2  $\wedge$  p0 = 0  $\wedge$  a = 0  $\wedge$   

  q0 = q  $\wedge$  x0 = x  $\wedge$  y0 = y  $\wedge$  v0 = v  $\wedge$  r0 = r  $\wedge$  a0 = a;  

pred R1(x:Bit,y:Bit,v:Bit,r:Bit,a:Bit,p:PC1,q:PC2,  

        x0:Bit,y0:Bit,v0:Bit,r0:Bit,a0:Bit,p0:PC1,q0:PC2)  $\Leftrightarrow$   

  q = 0  $\wedge$  q0 = 1  $\wedge$  r = 1  $\wedge$  y0 = v  $\wedge$  a0 = 1  $\wedge$   

  p0 = p  $\wedge$  x0 = x  $\wedge$  v0 = v  $\wedge$  r0 = r;  

pred R2(x:Bit,y:Bit,v:Bit,r:Bit,a:Bit,p:PC1,q:PC2,  

        x0:Bit,y0:Bit,v0:Bit,r0:Bit,a0:Bit,p0:PC1,q0:PC2)  $\Leftrightarrow$   

  q = 1  $\wedge$  q0 = 0  $\wedge$  r = 0  $\wedge$  a0 = 0  $\wedge$   

  p0 = p  $\wedge$  x0 = x  $\wedge$  y0 = y  $\wedge$  v0 = v  $\wedge$  r0 = r;

```



# A RISCAL Theory

```
pred Init(x:Bit,y:Bit,v:Bit,r:Bit,a:Bit,p:PC1,q:PC2)  $\Leftrightarrow$ 
  v = 0  $\wedge$  r = 0  $\wedge$  a = 0  $\wedge$  p = 0  $\wedge$  q = 0;
pred Invariant(x:Bit,y:Bit,v:Bit,r:Bit,a:Bit,p:PC1,q:PC2)  $\Leftrightarrow$ 
  (p = 0  $\Rightarrow$  q = 0  $\wedge$  r = 0  $\wedge$  a = 0)  $\wedge$ 
  (p = 1  $\Rightarrow$  r = 1  $\wedge$  v = x)  $\wedge$ 
  (p = 2  $\Rightarrow$  r = 0)  $\wedge$ 
  (q = 0  $\Rightarrow$  a = 0)  $\wedge$ 
  (q = 1  $\Rightarrow$  (p = 1  $\vee$  p = 2)  $\wedge$  a = 1  $\wedge$  y = x);
pred Property(x:Bit,y:Bit,v:Bit,r:Bit,a:Bit,p:PC1,q:PC2)  $\Leftrightarrow$ 
  q = 1  $\Rightarrow$  y = x;

theorem VC0(x:Bit,y:Bit,v:Bit,r:Bit,a:Bit,p:PC1,q:PC2)  $\Leftrightarrow$ 
  Init(x,y,v,r,a,p,q)  $\Rightarrow$  Invariant(x,y,v,r,a,p,q);
theorem VC1(x:Bit,y:Bit,v:Bit,r:Bit,a:Bit,p:PC1,q:PC2,
  x0:Bit,y0:Bit,v0:Bit,r0:Bit,a0:Bit,p0:PC1,q0:PC2)  $\Leftrightarrow$ 
  Invariant(x,y,v,r,a,p,q)  $\wedge$  S1(x,y,v,r,a,p,q,x0,y0,v0,r0,a0,p0,q0)  $\Rightarrow$ 
  Invariant(x0,y0,v0,r0,a0,p0,q0);
...
theorem VC5(x:Bit,y:Bit,v:Bit,r:Bit,a:Bit,p:PC1,q:PC2,
  x0:Bit,y0:Bit,v0:Bit,r0:Bit,a0:Bit,p0:PC1,q0:PC2)  $\Leftrightarrow$ 
  Invariant(x,y,v,r,a,p,q)  $\wedge$  R2(x,y,v,r,a,p,q,x0,y0,v0,r0,a0,p0,q0)  $\Rightarrow$ 
  Invariant(x0,y0,v0,r0,a0,p0,q0);
```



# The Proofs

---

Executing  $VC0(\mathbb{Z}, \mathbb{Z}, \mathbb{Z}, \mathbb{Z}, \mathbb{Z}, \mathbb{Z})$  with all 192 inputs.

Execution completed for ALL inputs (23 ms, 192 checked, 0 inadmissible).

Executing  $VC1(\mathbb{Z}, \mathbb{Z}, \mathbb{Z}, \mathbb{Z}, \mathbb{Z}, \mathbb{Z}, \mathbb{Z}, \mathbb{Z}, \mathbb{Z}, \mathbb{Z})$  with all 36864 inputs.

Execution completed for ALL inputs (123 ms, 36864 checked, 0 inadmissible).

Executing  $VC2(\mathbb{Z}, \mathbb{Z}, \mathbb{Z}, \mathbb{Z}, \mathbb{Z}, \mathbb{Z}, \mathbb{Z}, \mathbb{Z}, \mathbb{Z}, \mathbb{Z})$  with all 36864 inputs.

Execution completed for ALL inputs (50 ms, 36864 checked, 0 inadmissible).

Executing  $VC3(\mathbb{Z}, \mathbb{Z}, \mathbb{Z}, \mathbb{Z}, \mathbb{Z}, \mathbb{Z}, \mathbb{Z}, \mathbb{Z}, \mathbb{Z}, \mathbb{Z})$  with all 36864 inputs.

Execution completed for ALL inputs (94 ms, 36864 checked, 0 inadmissible).

Executing  $VC4(\mathbb{Z}, \mathbb{Z}, \mathbb{Z}, \mathbb{Z}, \mathbb{Z}, \mathbb{Z}, \mathbb{Z}, \mathbb{Z}, \mathbb{Z}, \mathbb{Z})$  with all 36864 inputs.

Execution completed for ALL inputs (50 ms, 36864 checked, 0 inadmissible).

Executing  $VC5(\mathbb{Z}, \mathbb{Z}, \mathbb{Z}, \mathbb{Z}, \mathbb{Z}, \mathbb{Z}, \mathbb{Z}, \mathbb{Z}, \mathbb{Z}, \mathbb{Z})$  with all 36864 inputs.

Execution completed for ALL inputs (65 ms, 36864 checked, 0 inadmissible).

More instructive: proof attempts with wrong or too weak invariants  
(see demonstration).

# An Operational System Model in RISCAL



```
// the types
type Bit =  $\mathbb{N}[1]$ ; type PC1 =  $\mathbb{N}[2]$ ; type PC2 =  $\mathbb{N}[1]$ ;

// an operational description of the system
shared system Bits
{
    // the system state
    var x:Bit; var y:Bit;
    var v:Bit = 0; var r:Bit = 0; var a:Bit = 0;
    var p:PC1 = 0; var q:PC2 = 0;

    // the correctness property
    invariant q = 1  $\Rightarrow$  y = x;

    // the system invariants that imply the correctness property
    invariant p = 0  $\Rightarrow$  q = 0  $\wedge$  r = 0  $\wedge$  a = 0;
    invariant p = 1  $\Rightarrow$  r = 1  $\wedge$  v = x;
    invariant p = 2  $\Rightarrow$  r = 0;
    invariant q = 0  $\Rightarrow$  a = 0;
    invariant q = 1  $\Rightarrow$  (p = 1  $\vee$  p = 2)  $\wedge$  a = 1  $\wedge$  y = x;
    ...
}
```

# An Operational System Model in RISCAL



```
...
// the non-deterministically chosen initial state values
init (x0:Bit, y0:Bit) { x := x0; y := y0; }

// the sender actions
action S1(any:Bit) with p = 0; { x := any; v := x; r := 1; p := 1; }
action S2() with p = 1  $\wedge$  a = 1; { r := 0; p := 2; }
action S3() with p = 2  $\wedge$  a = 0; { p := 0; }

// the receiver actions
action R1() with q = 0  $\wedge$  r = 1; { y := v; a := 1; q = 1; }
action R2() with q = 1  $\wedge$  r = 0; { a := 0; q := 0; }
}
```

We can check that all reachable states of the system satisfy the correctness property and the invariants; we can also generate from the system model and invariants the verification conditions and check these.

# The Verification in RISCAL



RISC Algorithm Language (RISCAL)

File Edit SMT TP Help

File: bits.txt

```
1// -----
2// a bit transmission protocol
3// (c) 2024, Wolfgang Schreiner <Wolfgang.Schreiner@risc.jku.at>
4// -----
5
6// the types
7type Bit = N[1];
8type PC1 = N[2];
9type PC2 = N[1];
10
11// an operational description of the system
12shared system Bits
13{
14    // the local variables
15    var x:Bit; var y:Bit;
16
17    // the wires
18    var v:Bit = 0; var r:Bit = 0; var a:Bit = 0;
19
20    // the program counters
21    var p:PC1 = 0; var q:PC2 = 0;
22
23    // the correctness property
24    invariant q = 1 -> y = x;
25
26    // the system invariants that imply the correctness property
27    invariant p = 0 -> q = 0 & r = 0 & a = 0;
28    invariant p = 1 -> r = 1 & v = x;
29    invariant p = 2 -> r = 0;
30    invariant q = 0 -> a = 0;
31    invariant q = 1 -> (p = 1 ∨ p = 2) & a = 1 ∨ y = x;
32
33    // the non-deterministically chosen initial state values
34    init (x0:Bit, y0:Bit) { x = x0; y = y0; }
35
36    // the sender actions
37    action S1{any:Bit} with p = 0;
38}
```

Analysis

Translation: Nondeterminism: Default Value: 0 Other Values:  Execution: Silent Inputs: Per Mille: Branches: Depth: Visualization:  Trace  Tree Width: 150 Height: 80C Parallelism:  Multi-Threaded Threads: 4  Distributed Servers:  Operation:  system Bits

Computing the value of \_tbound\_0...
Computing the value of \_tbound\_1...
Computing the value of \_tbound\_2...
Type checking and translation completed.
Executing system Bits.
15 system states found with search depth 7.
Execution completed (1 ms).
The SMT solver Yices started execution.
Theorem \_Bits\_0\_initPre\_verify\_0 is valid.
Theorem \_Bits\_0\_initPre\_verify\_1 is valid.
Theorem \_Bits\_0\_initPre\_verify\_2 is valid.
Theorem \_Bits\_0\_initPre\_verify\_3 is valid.
Theorem \_Bits\_0\_initPre\_verify\_4 is valid.
Theorem \_Bits\_0\_initPre\_verify\_5 is valid.
Theorem \_Bits\_0\_actionPre\_0\_verify\_0 is valid.
Theorem \_Bits\_0\_actionPre\_0\_verify\_1 is valid.
Theorem \_Bits\_0\_actionPre\_0\_verify\_2 is valid.
Theorem \_Bits\_0\_actionPre\_0\_verify\_3 is valid.
Theorem \_Bits\_0\_actionPre\_0\_verify\_4 is valid.
Theorem \_Bits\_0\_actionPre\_0\_verify\_5 is valid.
Theorem \_Bits\_0\_actionPre\_1\_verify\_0 is valid.
Theorem \_Bits\_0\_actionPre\_1\_verify\_1 is valid.
Theorem \_Bits\_0\_actionPre\_1\_verify\_2 is valid.
Theorem \_Bits\_0\_actionPre\_1\_verify\_3 is valid.
Theorem \_Bits\_0\_actionPre\_1\_verify\_4 is valid.
Theorem \_Bits\_0\_actionPre\_1\_verify\_5 is valid.
Theorem \_Bits\_0\_actionPre\_2\_verify\_0 is valid.
Theorem \_Bits\_0\_actionPre\_2\_verify\_1 is valid.
Theorem \_Bits\_0\_actionPre\_2\_verify\_2 is valid.
Theorem \_Bits\_0\_actionPre\_2\_verify\_3 is valid.
Theorem \_Bits\_0\_actionPre\_2\_verify\_4 is valid.

Tasks

- system Bits
  - Execute operation
  - Verify specification preconditions
  - Verify temporal properties
- Verify specification
  - Does system invariant initially hold?
  - Does system invariant initially hold?
- action S1
  - Is system invariant preserved?
  - Is system invariant preserved?
- action S2
  - Is system invariant preserved?
  - Is system invariant preserved?
- action S3
  - Is system invariant preserved?
  - Is system invariant preserved?
- action R1
  - Is system invariant preserved?
  - Is system invariant preserved?

Both kinds of verification succeed.

# A Client/Server System



Client system  $C_i = \langle IC_i, RC_i \rangle$ .

$State := PC \times \mathbb{N}_2 \times \mathbb{N}_2$ .

$Int := \{R_i, S_i, C_i\}$ .

$IC_i(pc, request, answer) \Leftrightarrow$   
 $pc = R \wedge request = 0 \wedge answer = 0$ .

$RC_i(I, \langle pc, request, answer \rangle,$   
 $\langle pc', request', answer' \rangle) \Leftrightarrow$   
 $(I = R_i \wedge pc = R \wedge request = 0 \wedge$   
 $pc' = S \wedge request' = 1 \wedge answer' = answer) \vee$   
 $(I = S_i \wedge pc = S \wedge answer \neq 0 \wedge$   
 $pc' = C \wedge request' = request \wedge answer' = 0) \vee$   
 $(I = C_i \wedge pc = C \wedge request = 0 \wedge$   
 $pc' = R \wedge request' = 1 \wedge answer' = answer) \vee$

---

$(I = \overline{REQ}_i \wedge request \neq 0 \wedge$   
 $pc' = pc \wedge request' = 0 \wedge answer' = answer) \vee$   
 $(I = ANS_i \wedge$   
 $pc' = pc \wedge request' = request \wedge answer' = 1)$ .

```
Client(ident):
    param ident
begin
    loop
        ...
        R: sendRequest()
        S: receiveAnswer()
        C: // critical region
        ...
        sendRequest()
    endloop
end Client
```

# A Client/Server System (Contd)



Server system  $S = \langle IS, RS \rangle$ .

$State := (\mathbb{N}_3)^3 \times (\{1, 2\} \rightarrow \mathbb{N}_2)^2$ .

$Int := \{D1, D2, F, A1, A2, W\}$ .

$IS(given, waiting, sender, rbuffer, sbuffer) \Leftrightarrow$

$given = waiting = sender = 0 \wedge$

$rbuffer(1) = rbuffer(2) = sbuffer(1) = sbuffer(2) = 0$ .

$RS(l, \langle given, waiting, sender, rbuffer, sbuffer \rangle,$

$\langle given', waiting', sender', rbuffer', sbuffer' \rangle) \Leftrightarrow$

$\exists i \in \{1, 2\} :$

$(l = D_i \wedge sender = 0 \wedge rbuffer(i) \neq 0 \wedge$

$sender' = i \wedge rbuffer'(i) = 0 \wedge$

$U(given, waiting, sbuffer) \wedge$

$\forall j \in \{1, 2\} \setminus \{i\} : U_j(rbuffer) \vee$

$\dots$

$U(x_1, \dots, x_n) \Leftrightarrow x'_1 = x_1 \wedge \dots \wedge x'_n = x_n$ .

$U_j(x_1, \dots, x_n) \Leftrightarrow x'_1(j) = x_1(j) \wedge \dots \wedge x'_n(j) = x_n(j)$ .

Server:

```
local given, waiting, sender
begin
  given := 0; waiting := 0
  loop
```

```
D:  sender := receiveRequest()
```

```
  if sender = given then
    if waiting = 0 then
```

```
F:  given := 0
    else
```

```
A1:  given := waiting;
      waiting := 0
      sendAnswer(given)
      endif
```

```
  elseif given = 0 then
```

```
A2:  given := sender
      sendAnswer(given)
      else
```

```
W:  waiting := sender
      endif
```

```
  endloop
```

```
end Server
```

# A Client/Server System (Contd'2)



...

$$(I = F \wedge \text{sender} \neq 0 \wedge \text{sender} = \text{given} \wedge \text{waiting} = 0 \wedge \text{given}' = 0 \wedge \text{sender}' = 0 \wedge U(\text{waiting}, \text{rbuffer}, \text{sbuffer})) \vee$$
$$(I = A1 \wedge \text{sender} \neq 0 \wedge \text{sbuffer}(\text{waiting}) = 0 \wedge \text{sender} = \text{given} \wedge \text{waiting} \neq 0 \wedge \text{given}' = \text{waiting} \wedge \text{waiting}' = 0 \wedge \text{sbuffer}'(\text{waiting}) = 1 \wedge \text{sender}' = 0 \wedge U(\text{rbuffer}) \wedge \forall j \in \{1, 2\} \setminus \{\text{waiting}\} : U_j(\text{sbuffer})) \vee$$
$$(I = A2 \wedge \text{sender} \neq 0 \wedge \text{sbuffer}(\text{sender}) = 0 \wedge \text{sender} \neq \text{given} \wedge \text{given} = 0 \wedge \text{given}' = \text{sender} \wedge \text{sbuffer}'(\text{sender}) = 1 \wedge \text{sender}' = 0 \wedge U(\text{waiting}, \text{rbuffer}) \wedge \forall j \in \{1, 2\} \setminus \{\text{sender}\} : U_j(\text{sbuffer})) \vee$$

...

Server:

```
local given, waiting, sender
begin
  given := 0; waiting := 0
  loop
    D:  sender := receiveRequest()
        if sender = given then
          if waiting = 0 then
            F:    given := 0
            else
              A1:   given := waiting;
              waiting := 0
              sendAnswer(given)
              endif
            elsif given = 0 then
              A2:   given := sender
              sendAnswer(given)
            else
              W:    waiting := sender
              endif
            endloop
  end Server
```

# A Client/Server System (Contd'3)



...

$$(I = W \wedge \text{sender} \neq 0 \wedge \text{sender} \neq \text{given} \wedge \text{given} \neq 0 \wedge \text{waiting}' := \text{sender} \wedge \text{sender}' = 0 \wedge$$
$$U(\text{given}, \text{rbuffer}, \text{sbuffer})) \vee$$

$\exists i \in \{1, 2\} :$

$$(I = \text{REQ}_i \wedge \text{rbuffer}'(i) = 1 \wedge$$
  
$$U(\text{given}, \text{waiting}, \text{sender}, \text{sbuffer}) \wedge$$
  
$$\forall j \in \{1, 2\} \setminus \{i\} : U_j(\text{rbuffer})) \vee$$
$$(I = \overline{\text{ANS}}_i \wedge \text{sbuffer}(i) \neq 0 \wedge$$
  
$$\text{sbuffer}'(i) = 0 \wedge$$
  
$$U(\text{given}, \text{waiting}, \text{sender}, \text{rbuffer}) \wedge$$
  
$$\forall j \in \{1, 2\} \setminus \{i\} : U_j(\text{sbuffer})).$$

Server:

```
local given, waiting, sender
begin
  given := 0; waiting := 0
  loop
    D:  sender := receiveRequest()
        if sender = given then
          if waiting = 0 then
            F:    given := 0
            else
              A1:   given := waiting;
              waiting := 0
              sendAnswer(given)
              endif
            elsif given = 0 then
              A2:   given := sender
              sendAnswer(given)
            else
              W:    waiting := sender
              endif
            endloop
  end Server
```

# A Client/Server System (Contd'4)



$State := (\{1, 2\} \rightarrow PC) \times (\{1, 2\} \rightarrow \mathbb{N}_2)^2 \times (\mathbb{N}_3)^2 \times (\{1, 2\} \rightarrow \mathbb{N}_2)^2$

$I(pc, request, answer, given, waiting, sender, rbuffer, sbuffer) :\Leftrightarrow$

$\forall i \in \{1, 2\} : IC(pc_i, request_i, answer_i) \wedge$

$IS(given, waiting, sender, rbuffer, sbuffer)$

$R(\langle pc, request, answer, given, waiting, sender, rbuffer, sbuffer \rangle,$

$\langle pc', request', answer', given', waiting', sender', rbuffer', sbuffer' \rangle) :\Leftrightarrow$

$(\exists i \in \{1, 2\} : RC_{local}(\langle pc_i, request_i, answer_i \rangle, \langle pc'_i, request'_i, answer'_i \rangle) \wedge$   
 $\langle given, waiting, sender, rbuffer, sbuffer \rangle =$

$\langle given', waiting', sender', rbuffer', sbuffer' \rangle) \vee$

$(RS_{local}(\langle given, waiting, sender, rbuffer, sbuffer \rangle,$

$\langle given', waiting', sender', rbuffer', sbuffer' \rangle) \wedge$

$\forall i \in \{1, 2\} : \langle pc_i, request_i, answer_i \rangle = \langle pc'_i, request'_i, answer'_i \rangle) \vee$

$(\exists i \in \{1, 2\} : External(i, \langle request_i, answer_i, rbuffer, sbuffer \rangle,$   
 $\langle request'_i, answer'_i, rbuffer', sbuffer' \rangle) \wedge$

$pc = pc' \wedge \langle sender, waiting, given \rangle = \langle sender', waiting', given' \rangle)$



# The Verification Task

$$\langle I, R \rangle \models \square \neg (pc_1 = C \wedge pc_2 = C)$$

*Invariant*( $pc$ ,  $request$ ,  $answer$ ,  $sender$ ,  $given$ ,  $waiting$ ,  $rbuffer$ ,  $sbuffer$ ) : $\Leftrightarrow$

$\forall i \in \{1, 2\}$  :

$(pc(i) = R \Rightarrow$

$sbuffer(i) = 0 \wedge answer(i) = 0 \wedge$

$(i = given \Leftrightarrow request(i) = 1 \vee rbuffer(i) = 1 \vee sender = i) \wedge$

$(request(i) = 0 \vee rbuffer(i) = 0)) \wedge$

$(pc(i) = S \Rightarrow$

$(sbuffer(i) = 1 \vee answer(i) = 1 \Rightarrow$

$request(i) = 0 \wedge rbuffer(i) = 0 \wedge sender \neq i) \wedge$

$(i \neq given \Rightarrow$

$request(i) = 0 \vee rbuffer(i) = 0)) \wedge$

$(pc(i) = C \Rightarrow$

$request(i) = 0 \wedge rbuffer(i) = 0 \wedge sender \neq i \wedge$

$sbuffer(i) = 0 \wedge answer(i) = 0) \wedge$

$(pc(i) = C \vee sbuffer(i) = 1 \vee answer(i) = 1 \Rightarrow$

$given = i \wedge$

$\forall j : j \neq i \Rightarrow pc(j) \neq C \wedge sbuffer(j) = 0 \wedge answer(j) = 0) \wedge$

...

# The Verification Task (Contd)



...

$$\begin{aligned} & (\text{sender} = 0 \wedge (\text{request}(i) = 1 \vee \text{rbuffer}(i) = 1) \Rightarrow \\ & \quad \text{sbuffer}(i) = 0 \wedge \text{answer}(i) = 0) \wedge \\ & (\text{sender} = i \Rightarrow \\ & \quad (\text{waiting} \neq i) \wedge \\ & \quad (\text{sender} = \text{given} \wedge \text{pc}(i) = R \Rightarrow \\ & \quad \text{request}(i) = 0 \wedge \text{rbuffer}(i) = 0) \wedge \\ & \quad (\text{pc}(i) = S \wedge i \neq \text{given} \Rightarrow \\ & \quad \text{request}(i) = 0 \wedge \text{rbuffer}(i) = 0) \wedge \\ & \quad (\text{pc}(i) = S \wedge i = \text{given} \Rightarrow \\ & \quad \text{request}(i) = 0 \vee \text{rbuffer}(i) = 0)) \wedge \\ & (\text{waiting} = i \Rightarrow \\ & \quad \text{given} \neq i \wedge \text{pc}_i = S \wedge \text{request}_i = 0 \wedge \text{rbuffer}(i) = 0 \wedge \\ & \quad \text{sbuffer}_i = 0 \wedge \text{answer}(i) = 0) \wedge \\ & (\text{sbuffer}(i) = 1 \Rightarrow \\ & \quad \text{answer}(i) = 0 \wedge \text{request}(i) = 0 \wedge \text{rbuffer}(i) = 0) \end{aligned}$$

The invariant has been elaborated in the course of the verification.



# An Operational System Model in RISCAL

Generalized to  $N \geq 2$  clients.

```
val N:N;                      // the number of clients
type Bit = N[1];              // messages are just signals
type Client = N[N];           // client ids 0..N-1, N: no client
type Buffer = Array[N, Bit];  // for each client a single message may be buffered
type PC = N[2]; val R = 0; val S = 1; val C = 2; // the client program counters

// the system with one server and N clients
shared system clientServer
{
  var pc: Array[N,PC] = Array[N,PC](R);    // the state of the clients
  var request: Buffer = Array[N, Bit](0);
  var answer: Buffer = Array[N, Bit](0);

  var given: Client = N;                  // the state of the server
  var waiting: Buffer = Array[N, Bit](0);
  var sender: Client = N;
  var rbuffer: Buffer = Array[N, Bit](0);
  var sbuffer: Buffer = Array[N, Bit](0);

  // the correctness property
  invariant  $\neg \exists i1:Client, i2:Client \text{ with } i1 \neq N \wedge i2 \neq N \wedge i1 < i2.$ 
    pc[i1] = C  $\wedge$  pc[i2] = C;
  ...
}
```

Variable `waiting` has now to record a *set* of waiting clients.

# An Operational System Model in RISCAL



```
action R(i:Client) with i ≠ N ∧ pc[i] = R ∧ request[i] = 0; // the client transitions
{ pc[i] := S; request[i] := 1; }
action S(i:Client) with i ≠ N ∧ pc[i] = S ∧ answer[i] ≠ 0;
{ pc[i] := C; answer[i] := 0; }
action C(i:Client) with i ≠ N ∧ pc[i] = C ∧ request[i] = 0;
{ pc[i] := R; request[i] := 1; }

action D(i:Client) with i ≠ N ∧ sender = N ∧ rbuffer[i] ≠ 0; // the server transitions
{ sender := i; rbuffer[i] := 0; }
action F() with sender ≠ N ∧ sender = given ∧
    ∀i:Client with i ≠ N. waiting[i] = 0;
{ given := N; sender := N; }
action A1(i:Client) with i ≠ N ∧
    sender ≠ N ∧ sender = given ∧ waiting[i] ≠ 0 ∧
    sbuffer[i] = 0;
{ given := i; waiting[i] = 0; sbuffer[given] := 1; sender := N; }
action A2() with sender ≠ N ∧ sender ≠ given ∧ given = N ∧
    sbuffer[sender] = 0;
{ given := sender; sbuffer[given] := 1; sender := N; }
action W() with sender ≠ N ∧ sender ≠ given ∧ given ≠ N;
{ waiting[sender] := 1; sender := N; }

action REQ(i:Client) with i ≠ N ∧ request[i] ≠ 0 ∧ rbuffer[i] = 0; // the communication subsystem
{ request[i] := 0; rbuffer[i] := 1; }
action ANS(i:Client) with i ≠ N ∧ sbuffer[i] ≠ 0 ∧ answer[i] = 0;
{ sbuffer[i] := 0; answer[i] := 1; }
}
```

# An Operational System Model in RISCAL



```
// the correctness property
invariant  $\neg \exists i1:Client, i2:Client \text{ with } i1 \neq N \wedge i2 \neq N \wedge i1 < i2. \text{pc}[i1] = C \wedge \text{pc}[i2] = C;$ 

// the system invariants that imply the correctness property
invariant  $\forall i:Client \text{ with } i \neq N \wedge \text{pc}[i] = R.$ 
   $\text{sbuffer}[i] = 0 \wedge \text{answer}[i] = 0 \wedge (\text{request}[i] = 0 \vee \text{rbuffer}[i] = 0) \wedge$ 
   $(i = \text{given} \Leftrightarrow \text{request}[i] = 1 \vee \text{rbuffer}[i] = 1 \vee \text{sender} = i);$ 
invariant  $\forall i:Client \text{ with } i \neq N \wedge \text{pc}[i] = S.$ 
   $(\text{sbuffer}[i] = 1 \vee \text{answer}[i] = 1 \Rightarrow \text{request}[i] = 0 \wedge \text{rbuffer}[i] = 0 \wedge \text{sender} \neq i) \wedge$ 
   $(i \neq \text{given} \Rightarrow \text{request}[i] = 0 \vee \text{rbuffer}[i] = 0);$ 
invariant  $\forall i:Client \text{ with } i \neq N \wedge \text{pc}[i] = C.$ 
   $\text{request}[i] = 0 \wedge \text{rbuffer}[i] = 0 \wedge \text{sender} \neq i \wedge \text{sbuffer}[i] = 0 \wedge \text{answer}[i] = 0;$ 
invariant  $\forall i:Client \text{ with } i \neq N \wedge (\text{pc}[i] = C \vee \text{sbuffer}[i] = 1 \vee \text{answer}[i] = 1).$ 
   $\text{given} = i \wedge \forall j:Client \text{ with } j \neq N \wedge j \neq i. \text{pc}[j] \neq C \wedge \text{sbuffer}[j] = 0 \wedge \text{answer}[j] = 0;$ 
invariant  $\text{sender} = N \Rightarrow \forall i:Client \text{ with } i \neq N \wedge (\text{request}[i] = 1 \vee \text{rbuffer}[i] = 1).$ 
   $\text{sbuffer}[i] = 0 \wedge \text{answer}[i] = 0;$ 
invariant  $\forall i:Client \text{ with } i \neq N \wedge \text{sender} = i.$ 
   $\text{waiting}[i] = 0;$ 
invariant  $\forall i:Client \text{ with } i \neq N \wedge \text{sender} = i \wedge \text{pc}[i] = R \wedge \text{sender} = \text{given}.$ 
   $\text{request}[i] = 0 \wedge \text{rbuffer}[i] = 0;$ 
invariant  $\forall i:Client \text{ with } i \neq N \wedge \text{sender} = i \wedge \text{pc}[i] = S \wedge \text{sender} \neq \text{given}.$ 
   $\text{request}[i] = 0 \wedge \text{rbuffer}[i] = 0;$ 
invariant  $\forall i:Client \text{ with } i \neq N \wedge \text{sender} = i \wedge \text{pc}[i] = S \wedge \text{sender} = \text{given}.$ 
   $\text{request}[i] = 0 \vee \text{rbuffer}[i] = 0;$ 
invariant  $\forall i:Client \text{ with } i \neq N \wedge \text{waiting}[i] = 1.$ 
   $\text{given} \neq i \wedge \text{pc}[i] = S \wedge$ 
   $\text{request}[i] = 0 \wedge \text{rbuffer}[i] = 0 \wedge \text{sbuffer}[i] = 0 \wedge \text{answer}[i] = 0;$ 
invariant  $\forall i:Client \text{ with } i \neq N \wedge \text{sbuffer}[i] = 1.$ 
   $\text{answer}[i] = 0 \wedge \text{request}[i] = 0 \wedge \text{rbuffer}[i] = 0;$ 
```

## The Verification in RISCAL



We can (for say  $N = 4$ ) check that the system execution satisfies the invariants; we can also check the verification conditions generated from the system invariants; finally we can *prove* the conditions for *arbitrary*  $N$ .